There is no description at this point.
rule win_lurk_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-12-22" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lurk" malpedia_rule_date = "20201222" malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130" malpedia_version = "20201023" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ff7508 ff15???????? 8b35???????? 50 ff7508 } // n = 5, score = 1100 // ff7508 | push dword ptr [ebp + 8] // ff15???????? | // 8b35???????? | // 50 | push eax // ff7508 | push dword ptr [ebp + 8] $sequence_1 = { 8b4508 5b 5f 5e c9 c3 55 } // n = 7, score = 900 // 8b4508 | mov eax, dword ptr [ebp + 8] // 5b | pop ebx // 5f | pop edi // 5e | pop esi // c9 | leave // c3 | ret // 55 | push ebp $sequence_2 = { c7450802000000 8d45f8 50 ff7508 } // n = 4, score = 800 // c7450802000000 | mov dword ptr [ebp + 8], 2 // 8d45f8 | lea eax, [ebp - 8] // 50 | push eax // ff7508 | push dword ptr [ebp + 8] $sequence_3 = { e8???????? 59 83f86f 7553 0fbe4207 } // n = 5, score = 800 // e8???????? | // 59 | pop ecx // 83f86f | cmp eax, 0x6f // 7553 | jne 0x55 // 0fbe4207 | movsx eax, byte ptr [edx + 7] $sequence_4 = { e8???????? 59 83f872 7577 0fbe4204 50 } // n = 6, score = 800 // e8???????? | // 59 | pop ecx // 83f872 | cmp eax, 0x72 // 7577 | jne 0x79 // 0fbe4204 | movsx eax, byte ptr [edx + 4] // 50 | push eax $sequence_5 = { 817dfcfe030000 7323 8b45fc 8b4de4 8d548108 } // n = 5, score = 800 // 817dfcfe030000 | cmp dword ptr [ebp - 4], 0x3fe // 7323 | jae 0x25 // 8b45fc | mov eax, dword ptr [ebp - 4] // 8b4de4 | mov ecx, dword ptr [ebp - 0x1c] // 8d548108 | lea edx, [ecx + eax*4 + 8] $sequence_6 = { 7523 8d85fcfeffff 50 ff7508 e8???????? 59 59 } // n = 7, score = 800 // 7523 | jne 0x25 // 8d85fcfeffff | lea eax, [ebp - 0x104] // 50 | push eax // ff7508 | push dword ptr [ebp + 8] // e8???????? | // 59 | pop ecx // 59 | pop ecx $sequence_7 = { c70424???????? ff15???????? 85c0 743e } // n = 4, score = 800 // c70424???????? | // ff15???????? | // 85c0 | test eax, eax // 743e | je 0x40 $sequence_8 = { e8???????? 0fb74606 83c414 ff45fc 83c328 3945fc 72bc } // n = 7, score = 800 // e8???????? | // 0fb74606 | movzx eax, word ptr [esi + 6] // 83c414 | add esp, 0x14 // ff45fc | inc dword ptr [ebp - 4] // 83c328 | add ebx, 0x28 // 3945fc | cmp dword ptr [ebp - 4], eax // 72bc | jb 0xffffffbe $sequence_9 = { 85c0 7506 ff15???????? 6a04 } // n = 4, score = 800 // 85c0 | test eax, eax // 7506 | jne 8 // ff15???????? | // 6a04 | push 4 $sequence_10 = { 83c00b 50 bf???????? 57 ff35???????? ffd6 } // n = 6, score = 800 // 83c00b | add eax, 0xb // 50 | push eax // bf???????? | // 57 | push edi // ff35???????? | // ffd6 | call esi $sequence_11 = { 8b4dc0 034814 894dfc 8b45e0 8b4010 } // n = 5, score = 800 // 8b4dc0 | mov ecx, dword ptr [ebp - 0x40] // 034814 | add ecx, dword ptr [eax + 0x14] // 894dfc | mov dword ptr [ebp - 4], ecx // 8b45e0 | mov eax, dword ptr [ebp - 0x20] // 8b4010 | mov eax, dword ptr [eax + 0x10] $sequence_12 = { 0fbe4203 50 e8???????? 59 83f870 0f8581000000 0fbe4204 } // n = 7, score = 800 // 0fbe4203 | movsx eax, byte ptr [edx + 3] // 50 | push eax // e8???????? | // 59 | pop ecx // 83f870 | cmp eax, 0x70 // 0f8581000000 | jne 0x87 // 0fbe4204 | movsx eax, byte ptr [edx + 4] $sequence_13 = { 83c410 85db 7412 8b451c } // n = 4, score = 800 // 83c410 | add esp, 0x10 // 85db | test ebx, ebx // 7412 | je 0x14 // 8b451c | mov eax, dword ptr [ebp + 0x1c] $sequence_14 = { 69c055550500 8945f0 69c077770700 8945f4 53 8b450c ff30 } // n = 7, score = 800 // 69c055550500 | imul eax, eax, 0x55555 // 8945f0 | mov dword ptr [ebp - 0x10], eax // 69c077770700 | imul eax, eax, 0x77777 // 8945f4 | mov dword ptr [ebp - 0xc], eax // 53 | push ebx // 8b450c | mov eax, dword ptr [ebp + 0xc] // ff30 | push dword ptr [eax] $sequence_15 = { 66890a e9???????? 0fb745fc 83f804 0f85b6000000 } // n = 5, score = 800 // 66890a | mov word ptr [edx], cx // e9???????? | // 0fb745fc | movzx eax, word ptr [ebp - 4] // 83f804 | cmp eax, 4 // 0f85b6000000 | jne 0xbc condition: 7 of them and filesize < 5316608 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY